-
Notifications
You must be signed in to change notification settings - Fork 5
Security
Joshua Thijssen edited this page May 30, 2020
·
9 revisions
I'm in no way a security expert, which makes it scary when trying to create a secure system for dealing with (personal) emails.
These are the things we thought about, or that still pose problems:
- MailServer to MailServer uses TLS with ECDHE for perfect forwarding secrecy.
- Everything depends on a single private RSA key (4096 bits). It is used for the following:
- logging into the mailserver to read emails
- logging into the mailserver to send emails
- decrypting emails (which are encrypted through its public key)
should we use Ed25519 instead? Thoughts?
- Once a private key is exposed, the following can happen
- we can write emails on behalf of somebody
- we can decrypt the catalog-key inside each message-header, which results in:
- we can decrypt the blob-keys inside each message-catalog, which results in:
- we can decrypt each blob of each message
- Exposing a public key by itself means you need to know the actual email address. The only unencrypted email address reference is a SHA256 sum.
Encryption works the following way:
- We fetch the public key from the receiver. This can be done by contacting the receiver's mail-server, or maybe even through a DHT system.
- We encrypt with AES256 the body-blocks and attachments of the message, each with its own key and IV.
- We generate a catalog with information about these blocks: checksums, iv and encrypt the AES key's with the public RSA key of receiver
- We encrypt the catalog with AES256, with a separate IV and Key
- We create a message header, with the checksum of the catalog, together with the iv and encrypt this AES also with the public RSA key of the receiver.
- Private key should have a pass-phrase. Can we force this?
- Can we store the private key securely in for instance the OSX keychain for example?
- Can we decrease the attack surface? When a private key is compromised, we might be able to send/receive emails (provided we also know the actual email address for this private key), but can we somehow make sure we can't decrypt the emails?
- Could every email be encrypted with a different key (like DH?). How would this work?